CVE-2025-70995

HIGH 8.8

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6.

Vendor	n/a
Product	n/a
Published	Mar 5, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for n/a n/a

Be the first to know when new high vulnerabilities affecting n/a n/a are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

n/a / n/a

n/a

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.arandasoft.com: https://docs.arandasoft.com/asdk-api/pages/V1.9/descripcion/adjuntar_archivos.html github.com: https://github.com/0xcronos/CVE/blob/main/CVE-2025-70995/README.md docs.arandasoft.com: https://docs.arandasoft.com/asdk-v8-release-notes/assets/asdk-v8-release-notes.pdf